Questions to Ask Your Landlord and Agent About Data Security

Wow, it's been over a year since the last installment of the Questions series!

Security of personal information has been in the news lately. Companies have been getting their privacy policies in order as the deadline for compliance with the EU's General Data Protection Regulation approaches. More and more sites are warning you that they use cookies to store information. Green padlocks have been popping up all over in response to Google's crackdown on unencrypted websites. Facebook is in hot water for providing user data to Cambridge Analytica.

Renters entering the housing market this year will be doing so after months of fear mongering about data security, identity theft and compromised passwords. They will come up against lengthy rental applications that ask for enormous amounts of personal data, leading many to wonder exactly how landlords, who often operate their businesses out of spare bedrooms and converted storefronts, are equipped to safeguard that information.

It's become quite common and expected for landlords to pull credit reports on tenants. To do so they need your name, birth date, social security number and most recent address. This is certainly enough information to steal your identity. If you're working with an agency, the agency will ask for that same data and provide it to landlords with every application you complete. Even so, renters who are desperate to be accepted for an apartment rarely bother to ask their agents and prospective landlords about the practices they follow in the office to keep personal renter information secure. With that in mind, here are some questions you should ask any prospective landlord or agent before you fill out that application.

As is the case with all installments in the Questions series, you should not ask every question on this list or you risk being marked as a hostile applicant. Choose one or two, and only go into further depth if you get answers that make you feel uneasy.

For All:

1. What screening practices do you use for employees who handle financial information and credit reports?
2. How long do you retain application information and credit reports? How about rental history? (Unless an applicant is suspected of using stolen information, data should only be retained until the tenant moves in. If the landlord wants to file suit for fraud against a tenant using falsified information, they can keep evidence on file for up to five years. Payment information and maintenance request logs can be kept for up to 10 years from expiration of the final lease in Illinois.)
3. If you keep paper copies of credit reports in the office, how do you secure them?
4. Are digitized versions of credit reports stored on a web-facing computer? If so, what security practices do you follow for that computer?
5. Is there any point in your data chain where personal financial information is transferred to an employee's laptop, mobile phone or other portable device?
6. Is there any point in your data chain where credit reports or applications are sent over potentially unencrypted methods such as FAX, email or unencrypted websites?
7. If you encountered an application using obviously stolen information, what would you do?
8. What systems do you have in place for destroying sensitive information when you're done with it? (Paper copies should be burned or pulverized. Disk drives should be destroyed.)
9. Do you pull entire consumer credit reports or do you use a service that only provides a score? (Score-only is safer from a data standpoint, but if a landlord can see the full report it may allow them to be more lenient with people who have weak scores due to unrelated issues.)
10. Do use contact information obtained from applicants for any reason other than processing the application? (Marketing newsletters, selling to advertisers, etc.)
11. If I asked you to delete my file when you're done with it, would you do so? (The US has no "right to be forgotten" as the EU does, so this is entirely up to the whims of each business.)
12. If you accept applications through your website, does your web developer or any other outside company still have access to the database?

For Landlords Only:

1. How much proof of identity do you require from other landlords before disclosing a tenant's rental history? (Landlords will often call previous landlords directly to verify a tenant's rental history. It's a common weak link in data security.)
2. How many people have access to tenant applications and credit reports?
3. If you accept online rent payments, what service do you use to process them?
4. If you accept credit card payments for rent, is there any point in the payment chain where your employees can see a tenant's entire unmasked credit card number?
5. Do you allow renters to provide their own credit reports? (They absolutely should not, as this encourages identity thieves to use stolen information to obtain apartments.)
6. How secure is the office where you keep tenant files?
7. If tenants have access to online accounts, can anyone in the company or at third party web design companies see their username and password?

For Agencies:

1. How much data do you provide to landlords when I apply for an apartment?
2. Do you verify a landlord's data security practices before approving them as clients who can receive credit reports?
3. What sort of training do your application processors get in best practices for data security?
4. Does this office have any licensed Realtors or mortgage brokers working in-house? (These businesses have more restrictive laws governing their data retention and must submit to annual third party audits.)

If after asking these questions you get answers that make you uncomfortable, that does not necessarily mean that the landlord is a bad landlord. They may be behind the technological times but this is not uncommon within the industry. Bad data security practices shouldn't put you off from applying for that perfect apartment.

You can, however, respond to that discomfort by writing "call for information" in the social security number and birth date fields instead of the requested information. When the call comes in, make it very clear that if they write down the information it should be on a separate piece of paper from your application that bears no other identifying info and gets shredded immediately after use.